Vibe Coding Security Guide
Everything you need to know to build secure applications with AI coding assistants. From basic principles to advanced security patterns.
See how your app measures up. Free security scan.
Core Security Principles
Trust But Verify
AI-generated code is a starting point, not a finished product. Always review security-critical sections before deploying.
Secrets Stay Secret
Never paste real API keys, passwords, or credentials into AI prompts. Use placeholder values and environment variables.
Know Your Attack Surface
Understand what parts of your app are exposed to the internet and focus security efforts there.
Speed ≠ Skipping Security
The productivity gains from AI should fund security reviews, not replace them.
Security by Area
Authentication & Authorization
The most critical area for security review. AI often generates auth code that works but isn't secure.
Do
- Use established auth libraries (NextAuth, Clerk, Auth0) instead of custom implementations
- Verify that session tokens are properly validated on every request
- Test authorization - can users access resources they shouldn't?
- Implement proper password hashing (bcrypt, argon2) if handling passwords
- Add rate limiting to login and signup endpoints
Don't
- Trust AI to implement secure JWT validation without review
- Use MD5 or SHA1 for password hashing (even if AI suggests it)
- Implement custom session management when libraries exist
- Skip testing authorization for different user roles
Common AI Mistakes
- •Generating JWT secrets that are too short or predictable
- •Missing token expiration validation
- •Checking authentication but not authorization
- •Storing passwords in plain text or with weak hashing
API Keys & Secrets Management
The #1 cause of security incidents in vibe-coded apps. AI frequently suggests insecure patterns.
Do
- Use environment variables for ALL secrets from day one
- Add .env files to .gitignore before creating them
- Use different keys for development and production
- Rotate keys if they've ever been exposed
- Use secret scanning tools in your CI/CD pipeline
Don't
- Paste real API keys into AI prompts
- Commit .env files or hardcode secrets
- Use the same keys across environments
- Ignore secret scanning warnings
Common AI Mistakes
- •Suggesting hardcoded API keys in example code
- •Not including .env in .gitignore templates
- •Exposing server-side keys to the client
- •Using predictable key names that get committed
Database Security
SQL injection and NoSQL injection remain in the OWASP Top 10. AI-generated queries need careful review.
Do
- Use parameterized queries or ORMs for all database operations
- Implement Row Level Security (RLS) for multi-tenant apps
- Validate and sanitize all user input before queries
- Use least-privilege database users in production
- Enable SSL for database connections
Don't
- Concatenate user input into SQL queries
- Trust AI-generated raw SQL without review
- Use root/admin database credentials in your app
- Disable SSL for 'convenience' during development
Common AI Mistakes
- •Generating string interpolation in SQL queries
- •Missing RLS policies for Supabase/PostgreSQL
- •Suggesting overly permissive database permissions
- •Not escaping special characters in NoSQL queries
Frontend Security
XSS, CSRF, and client-side vulnerabilities are common in AI-generated frontend code.
Do
- Use framework built-in XSS protection (React's JSX escaping)
- Implement CSRF tokens for state-changing operations
- Validate all user input on the server, not just client
- Set proper Content Security Policy headers
- Use HttpOnly cookies for sensitive tokens
Don't
- Use dangerouslySetInnerHTML without sanitization
- Trust client-side validation as your only protection
- Store sensitive data in localStorage
- Expose internal API endpoints to the frontend
Common AI Mistakes
- •Suggesting dangerouslySetInnerHTML for rendering content
- •Implementing validation only on the frontend
- •Storing JWTs in localStorage instead of HttpOnly cookies
- •Missing CSRF protection on form submissions
API Security
API endpoints are the gateway to your backend. Every endpoint needs proper security.
Do
- Validate all request parameters and body data
- Implement rate limiting on all public endpoints
- Use proper HTTP methods (GET for reads, POST for writes)
- Return appropriate error messages (not stack traces)
- Log security-relevant events (failed logins, auth errors)
Don't
- Trust that request data is well-formed
- Expose detailed error messages in production
- Allow unlimited requests without rate limiting
- Skip input validation for 'internal' APIs
Common AI Mistakes
- •Missing input validation on API endpoints
- •Returning full stack traces in error responses
- •Not implementing rate limiting
- •Using GET requests for state-changing operations
Dependency Security
Your app includes hundreds of dependencies. Each one is a potential vulnerability.
Do
- Run npm audit regularly and fix vulnerabilities
- Keep dependencies updated, especially security patches
- Use lockfiles (package-lock.json) to pin versions
- Review new dependencies before adding them
- Set up Dependabot or similar automated updates
Don't
- Ignore npm audit warnings indefinitely
- Add random packages without checking their reputation
- Use wildcard version ranges in package.json
- Disable lockfile generation
Common AI Mistakes
- •Suggesting outdated or deprecated packages
- •Not including security-focused dependencies
- •Using packages with known vulnerabilities
- •Suggesting unnecessary dependencies
Quick Security Checklist
Before deploying any vibe-coded application, verify these basics:
Check Your App Against This Guide
Our security scanner checks for all the issues mentioned in this guide automatically. Get a comprehensive report in minutes.
Run Get Starter ScanFrequently Asked Questions
How much time should I spend on security for a vibe-coded app?
A good rule of thumb: spend 10-15% of your development time on security. For a weekend project, that's a few hours of review. For a production app, it's a proper security audit. The key is making security part of your workflow, not an afterthought.
Should I use security libraries or write my own code?
Always use established libraries for security-critical functions like authentication, encryption, and session management. These libraries are battle-tested and maintained by security experts. Writing your own crypto or auth code is almost never the right choice.
How do I know if my AI-generated code is secure?
You can't know for certain without review. The best approach: use automated security scanners for common issues, manually review auth/payment/data handling code, and test your app like an attacker would. A quick security scan can catch 80% of common issues.
What's the minimum security for an MVP?
Even MVPs need: 1) Secrets in environment variables (not code), 2) Authentication using a library (not custom), 3) HTTPS, 4) Input validation on APIs. These basics take an hour to implement correctly and prevent the most common attacks.
Can I prompt the AI to write secure code?
Prompting helps but isn't reliable. You can ask for 'secure authentication' or 'parameterized queries,' and AI will often comply. But it may still make subtle mistakes. Treat security prompts as hints, not guarantees - always verify the output.
What security tools should I use with vibe coding?
Essential tools: 1) Secret scanner (GitGuardian, TruffleHog) to catch exposed keys, 2) Dependency scanner (npm audit, Snyk) for vulnerable packages, 3) Security linter (ESLint security plugins) for code issues. For comprehensive scanning, VAS checks all these plus headers and configurations.